Legal · Privacy

Privacy Policy.

Version 1.0 · Last updated 29 April 2026

In plain English

We collect your email, business name and sector. We use them only to send the brief and run your account. We do not sell your data. We share it only with the processors listed below in §06 to run the service.
Payments go through Stripe — we never see your card number.
Watchdog HQ is an information service, not legal advice. Always verify against the original source — every brief item links to it.
You can ask for a copy of your data, correct it, or delete it at any time. Reply to any brief or email paddy@getwatchdoghq.com.
This summary is a courtesy — the binding policy is below. If anything in this summary differs from the binding text, the binding text governs.

§ 01 · Who we are

The data controller.

Clear Skies Consulting Ltd ("CSC Ltd", "we", "us", "our"), trading as Watchdog HQ, is the data controller for the personal data processed under this policy.

Legal entity	Clear Skies Consulting Ltd
Trading name	Watchdog HQ
Company №	09316512 (registered in England & Wales)
VAT №	GB 211 3250 72
Registered office	5 Lodge Park Drive, Evesham, Worcestershire, WR11 3JY, United Kingdom
ICO registration	ZC137591 (Clear Skies Consulting Ltd, registered with the Information Commissioner's Office for the purposes of the UK GDPR and the Data Protection Act 2018).
Contact	paddy@getwatchdoghq.com
DPO	We have not appointed a Data Protection Officer. We are not required to under UK GDPR Art. 37 (we are not a public authority, our core activities do not require regular and systematic monitoring of data subjects on a large scale, and we do not process special-category data on a large scale). Privacy queries reach a senior member of the company at the contact email above.
Supervisory authority	The UK Information Commissioner's Office (ICO) is our sole supervisory authority. We do not target customers in the EU and have not appointed an EU representative.

§ 02 · What we collect, why, on what legal basis

The data inventory.

We collect only what we need to run the service and your account. Each item is mapped to a UK GDPR Art. 6(1) lawful basis.

Data	Purpose	Lawful basis
Email address	Deliver the weekly brief; account management; password-less sign-in	Art. 6(1)(b) — performance of a contract
Business name (optional)	Personalise the greeting line in briefs	Art. 6(1)(f) — legitimate interest (see § 03)
Business sector	Filter the brief to the regulators and bodies relevant to you	Art. 6(1)(b) — performance of a contract
Payment metadata (Stripe customer ID, subscription ID)	Process recurring billing; manage cancellation; tax record-keeping	Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (HMRC VAT records)
Email engagement (opens, clicks, bounces) — tracked via a standard one-pixel image and link-redirect on outbound emails sent through our email service provider (Resend), and on cold-outreach emails sent through Instantly.io	Improve digest formatting; suppress hard-bounced addresses; debug deliverability; measure cold-email response rates	Art. 6(1)(f) — legitimate interest (see § 03)
Server logs (IP address, user-agent, timestamp)	Operate the service, debug errors, prevent abuse	Art. 6(1)(f) — legitimate interest in service security
Prospect business-contact data (business name, contact name, role, business email) for businesses we have not yet subscribed, sourced from the Companies House public register and public business directories that list estate / letting agents in England	Send a small number of relevant business-to-business introductory emails about the service (cold outreach)	Art. 6(1)(f) legitimate interest (see § 03)

We do not see, store, or have access to your full payment-card number. Card data is collected and held by Stripe on PCI-DSS compliant infrastructure.

During the 30-day free trial, payment-card details are collected by Stripe at sign-up but no charge is taken. The legal-obligation basis for retaining payment records (HMRC) only attaches once the first charge is processed; until then the relevant legal basis for processing is contract performance (Art. 6(1)(b)).

§ 03 · Legitimate interests — our balancing test

Why our use of legitimate interest is fair.

Where we rely on Art. 6(1)(f), we have considered the impact on subscribers and concluded that:

Business name — necessary to make the brief feel like correspondence rather than bulk mail; impact on the subscriber is negligible (it appears only in the salutation); the field is optional and can be left blank.
Email engagement events — necessary to debug deliverability and suppress hard-bounced addresses (without this we would degrade the service for everyone); the impact on a subscriber is minimal because the data is aggregate and never sold or shared; subscribers can object at any time without losing the service.
Server logs — necessary to operate any web service safely; retained briefly (see § 08) and never combined with marketing data.

You can object to any processing based on legitimate interest at any time by emailing paddy@getwatchdoghq.com — see § 07 for your full rights.

Cold business outreach (prospects). If you received an email from us and you have not subscribed, we obtained your business contact details from the Companies House public register and from public business directories that list estate and letting agents in England. This is the source disclosure required by UK GDPR Art. 14(2)(f). We process that data under Art. 6(1)(f) legitimate interest, to send a small number of relevant business-to-business messages about a compliance-monitoring service for your sector. We assessed the impact as low: the data is business-contact only (no special-category data), the volume is small, every message identifies us and carries a one-click unsubscribe, and you can object at any time under Art. 21 by replying "unsubscribe" or emailing us. We then add you to a permanent do-not-contact suppression list and do not email you again. We keep prospect contact data for at most 24 months from collection where you do not engage, and the suppression record indefinitely so your objection is honoured.

§ 04 · What we do not collect

The negative space.

Browsing history outside our website or email.
Location or geolocation data.
Phone numbers, mailing addresses, or social-media handles.
Special-category personal data under UK GDPR Art. 9 (race, religion, health, sexual orientation, political opinions, trade-union membership, biometric or genetic data).
Criminal-conviction data under Art. 10.
Data about anyone under 18. The service is for business use only; we do not knowingly collect data from children.

The landing page uses no third-party analytics, advertising trackers, or fingerprinting scripts.

§ 05 · AI and automated decision-making

What our AI does — and doesn't do.

Watchdog HQ uses AI models from Anthropic (Claude) to read public regulatory and industry publications, classify them, and summarise them into the brief you receive. The AI processes content you read; it does not make decisions about you.

Specifically, we do not use automated processing or profiling to:

Score, rank, or grade subscribers in any way.
Decide eligibility for any service, price, or feature.
Make any decision that produces a legal effect or similarly significant effect on you (UK GDPR Art. 22).

Anthropic processes the public source material we send for summarisation; subscriber identity is not required for summarisation and is not sent. See § 06 for the full sub-processor list and transfer mechanism.

AI summaries may contain errors, omissions or hallucinations. Every brief item links to the original source. Always verify against the source before acting.

§ 06 · Sub-processors and international transfers

Who else handles your data — and how it's protected.

We use the following sub-processors. Each operates under a written data-processing agreement with us as required by UK GDPR Art. 28.

Processor	Purpose	Data shared	Transfer mechanism
Stripe Payments UK Ltd / Stripe Inc.	Payment processing, subscription billing, customer portal	Email, payment-card data (collected by Stripe directly), billing address	UK Stripe entity for UK customers; onward transfer to US under EU Standard Contractual Clauses + UK Addendum (Stripe DPA)
Resend Inc.	Transactional email delivery (briefs, alerts, account)	Email address, email content (generated by us), delivery events	EU Standard Contractual Clauses + UK Addendum (Resend DPA)
Railway Corp.	Application hosting and database (EU/UK region)	Server logs, database contents (encrypted in transit and at rest)	EU Standard Contractual Clauses + UK Addendum (Railway DPA)
Anthropic, PBC	AI summarisation of public regulatory content (Claude API)	Public source material only — subscriber identity is not transmitted	EU Standard Contractual Clauses + UK Addendum (Anthropic Commercial Terms / DPA, no training on inputs)

We will give existing customers at least 30 days' notice by email before adding a new sub-processor or making a material change to one above. You may object by replying within that window; if we cannot accommodate the objection we will offer cancellation with a pro-rata refund of any unused subscription period.

§ 07 · Your rights under UK GDPR

The eight rights we'll honour.

You have all eight rights granted by UK GDPR Art. 12–22:

Access (Art. 15) — request a copy of all personal data we hold about you.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17) — request deletion ("right to be forgotten").
Restriction (Art. 18) — pause our processing while a dispute is resolved.
Portability (Art. 20) — receive your data in a machine-readable format.
Object (Art. 21) — object to processing based on legitimate interest, including our use of engagement events.
Withdraw consent (Art. 7) — where any processing is based on consent.
Automated decision-making (Art. 22) — not to be subject to a decision based solely on automated processing. As stated in § 05, we do not make such decisions about you.

To exercise any right, email paddy@getwatchdoghq.com. We will respond within one calendar month (UK GDPR Art. 12(3)), extendable by up to two further months for complex requests with notification.

Identity verification. For sensitive requests (erasure, full data export) we may ask for proof that you are the data subject before fulfilling, as permitted by Art. 12(6). By default we will require confirmation from the email address on your account; for higher-risk requests (e.g. complete erasure where billing records would be affected) we may ask for additional information such as a copy of the original Stripe receipt or a recent invoice number. We will not delay fulfilment beyond what is reasonably necessary to verify the request.

Fees. Requests are free of charge. We may charge a reasonable fee or refuse to act for "manifestly unfounded or excessive" requests, as permitted by Art. 12(5).

Stopping email and ending the service. Three different actions are available:

Marketing opt-out — stops marketing-only emails (see §11) but the weekly brief and account emails continue. Email paddy@getwatchdoghq.com with "Marketing opt-out".
Cancellation — ends the subscription, ends billing and stops the brief. The unsubscribe link in any brief — which includes your email address as a parameter — performs a full cancellation: it sets your subscription status to cancelled, stops the brief, and stops further charges. If you have lost the link, email paddy@getwatchdoghq.com from the address on your account and we will action the cancellation. Account data is retained for 30 days after cancellation (per §08) so you can resubscribe without re-entering details.
Erasure — full deletion of personal data. Email paddy@getwatchdoghq.com exercising the erasure right above. We may need to retain some data to meet the legal-obligation retention in §08 (HMRC VAT records).

The brief itself is the service — we cannot keep an active subscription while indefinitely suppressing brief delivery, because the brief is what you have subscribed to. If you want to pause the brief but not cancel, email us and we will best-endeavour to suspend delivery while keeping the account live; this is offered as a courtesy and is not a guaranteed feature.

§ 08 · How long we keep data

Retention schedule.

Category	Retention period	Reason
Account data (email, business name, sector)	Active subscription + 30 days after cancellation or termination. Records relating to a live dispute are retained until the dispute is resolved.	UK GDPR Art. 5(1)(e) — storage limitation. 30 days lets you change your mind and resubscribe without re-entering details. Where retention is extended for dispute resolution, the basis is Art. 6(1)(f) legitimate interest in establishing, exercising or defending legal claims.
Email engagement events	13 months	One season of weekly cycles for content optimisation.
Server logs (IP, user-agent)	30 days rolling	Operational debugging and abuse prevention only.
Payment and invoice records	7 years from end of relevant accounting period	HMRC VAT Notice 700/21 § 19 and the Companies Act 2006 record-keeping requirements.
Marketing-suppression list (unsubscribed addresses)	Indefinite	To honour your unsubscribe — required to ensure we do not contact you again. Contains email address only.

§ 09 · Security

How we protect your data.

All data in transit is encrypted with TLS 1.2+ (HTTPS only — HTTP redirects to HTTPS).
Database storage is hosted on Railway in EU/UK regions with encryption at rest.
Application secrets are held in environment variables, never in source control.
Access to production systems is limited to named directors of CSC Ltd and protected by hardware-key two-factor authentication.
Payment data never reaches our infrastructure — Stripe handles it directly on PCI-DSS Level 1 systems.

No security measure is perfect. If we become aware of a personal-data breach affecting your data, we will:

Notify the ICO within 72 hours of becoming aware (UK GDPR Art. 33), unless the breach is unlikely to result in a risk to your rights and freedoms. Where notification is delayed beyond 72 hours we will provide reasons for the delay as Art. 33(1) requires.
Notify affected subscribers without undue delay (UK GDPR Art. 34) where the breach is likely to result in a high risk to your rights and freedoms. The notification will describe the nature of the breach, our point of contact for queries, the likely consequences, and the measures we have taken or propose to take.

§ 10 · Cookies

What cookies we set, and don't.

On the Watchdog HQ website (watchdog-hq.co.uk) we set no cookies for analytics, advertising, profiling or tracking. The landing page is static.

When you click through to Stripe's hosted Checkout or Customer Portal, Stripe sets strictly-necessary session cookies (__stripe_mid, __stripe_sid) on its own domain (stripe.com / checkout.stripe.com), not ours. These are required for the payment flow to function and are exempt from cookie-consent rules under PECR reg. 6(4)(b).

If we add any analytics in the future we will update this section, post a banner, and obtain consent before any non-essential cookie is set.

§ 11 · Marketing communications

What we send, and how to stop it.

The weekly brief is the service itself — it is what you have subscribed to and we treat it as transactional, not marketing. It will continue while your subscription is active.

Separately, we may occasionally email existing customers about closely related products, features or sectors. We rely on the soft opt-in under PECR reg. 22(3): you gave us your email when subscribing to a similar product, you were given a clear opt-out at that point, and every such email contains a one-click List-Unsubscribe header and a footer unsubscribe link.

You can opt out of marketing-only emails (without losing the service) at any time by emailing paddy@getwatchdoghq.com.

§ 12 · Changes to this policy

How updates work.

We will update this policy when our practices change. Material changes (new sub-processor, new processing purpose, new data category, change of legal basis) will be notified by email at least 14 days before they take effect. Non-material clarifications take effect when posted.

The "Last updated" date and version at the top of this page reflect the current version. A change history is appended below.

§ 13 · Complaints

Where to escalate.

If you are unhappy with how we handle your data, please tell us first — email paddy@getwatchdoghq.com and we will investigate. You also have the right to complain to the Information Commissioner's Office at any time:

ico.org.uk/make-a-complaint
0303 123 1113
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

§ 14 · Change history

Version history.

Version	Date	Summary
1.0	29 April 2026	Initial release covering UK GDPR Art. 13 information requirements, sub-processor list with international-transfer mechanisms, eight subject rights, AI/Art. 22 disclosure, retention schedule with legal bases, breach notification commitment.